[graphical gui] Whonix Setup Wizard / Anon Connection Wizard - Technical Discussion

Patrick · December 31, 2017, 4:12pm

This is https://github.com/Whonix/whonixcheck/blob/master/usr/lib/whonixcheck/check_tor_config.bsh which is in essence running:

sudo --non-interactive -u debian-tor tor --verify-config

Could you please confirm that sudo --non-interactive -u debian-tor tor --verify-config will exit non-zero (1)? (echo $?)
Could you please confirm, that Tor is actually running? sudo systemctl status tor@default
And Tor is also functional, connectivity is working?

In that case, it looks like a bug in tor --verify-config.

Tor’s systemd unit /lib/systemd/system/tor@default.services used to run tor --verify-config, but apparently no longer doing so in Debian stretch.

It seems like tor --verify-config seems to report missing Tor .d config folder as an error while Tor itself does not. This I would consider a bug. If that is true, could you report a bug against Tor please?

troubadour · December 31, 2017, 5:27pm

After running anon-connection-wizard, checked with
sudo --non-interactive -u debian-tor tor --verify-config; echo "exit code $?"

It returns exit 0.

Dec 31 17:00:30.156 [notice] Tor 0.3.1.9 (git-df96a13e9155c7bf) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.1.0f, Zlib 1.2.8, Liblzma 5.2.2, and Libzstd 1.1.2.
Dec 31 17:00:30.156 [notice] Tor can’t help you if you use it wrong! Learn how to be safe at Tor Project | Download
Dec 31 17:00:30.157 [notice] Read configuration file “/etc/tor/torrc”.
Configuration was valid
exit code 0

Restarting tor is OK, everything is functional, but whonixcheck is still complaining.

If we comment out the line %include /etc/tor/torrc.d in /etc/torrc, then whonixcheck runs without tor warning.

Patrick · December 31, 2017, 5:33pm

Alright, so I think it’s an tor --verify-config bug.

Shall I disable this check in whonixcheck or we just make sure that folder exists in next upgrade (Whonix 14 of course, another iteration, package upgrade can be very soon).

troubadour · December 31, 2017, 5:41pm

I think it would be better to create the folder in the, or a package instead of disabling the check, because other things might get wrong in /etc/tot/torrc, user tampering being one.

troubadour · December 31, 2017, 5:45pm

Or may be not. whonixcheck is still complaining when /etc/torrc.d exists.

troubadour · December 31, 2017, 5:54pm

apparmor is not allowing whonixcheck to read /etc/torrc.d. I’ll update the the profile.

troubadour · January 1, 2018, 8:13pm

@iry

Hi @troubadour ! I know that Whonix has been using guimessage module to do the translation, but I just learned a more standard and widely used way to do this is using gettext. Do you know if there was any concern that makes us use guimessage instead of gettext?

No there was no concern about gettext. When we started to get rid of the hard coded messages in the scripts, we found that solution (the gui-message script was written by nrgaway).

Later, I have been in touch with the people at translatewiki. They told me that yaml files solution was not standard and that we would run into problems sooner or later. I do not remember the exact content of the conversation, but at the end they did recommend gettext. I had no time to dig into it.

iry · January 3, 2018, 3:30pm

troubadour:

at the end they did recommend gettext. I had no time to dig into it.

Sounds great! Let’s use gettext for the Whonix applications for more
translatable form and less dependencies!

iry · January 3, 2018, 6:59pm

I got the complain again when the VM is started however when I tried the following command line, it seems there is nothing wrong with the Tor configuration.

user@host:~$ sudo --non-interactive -u debian-tor tor --verify-config
Jan 03 18:50:17.363 [notice] Tor 0.3.1.9 (git-df96a13e9155c7bf) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.1.0f, Zlib 1.2.8, Liblzma 5.2.2, and Libzstd 1.1.2.
Jan 03 18:50:17.363 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jan 03 18:50:17.363 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid
user@host:~$ echo $?
0
user@host:~$ sudo systemctl status tor@default
● tor@default.service - Anonymizing overlay network for TCP
   Loaded: loaded (/lib/systemd/system/tor@default.service; static; vendor preset: enabled)
  Drop-In: /lib/systemd/system/tor@default.service.d
           └─30_qubes.conf, 40_obfs4proxy-workaround.conf, 40_qubes.conf
   Active: active (running) since Wed 2018-01-03 18:49:16 UTC; 1min 29s ago
  Process: 961 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (
  Process: 929 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /var/run/tor (code=exited, status=0/SUCCESS)
 Main PID: 995 (tor)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/system-tor.slice/tor@default.service
           └─995 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0

troubadour · January 3, 2018, 7:57pm

You probably have to re-run anon-connection-wizard.

The whonixcheck error pops because the line %include /etc/torrc.d exist in torrc, but /etc/torrc.d was lost on shutdown.

Wondering why /etc/tor/torrc is not reset too.

iry · January 3, 2018, 8:04pm

Hi toubadour!

I used a standalone VM where everything is persistent. So I guess this is not the problem?

Because a rule has been added here to make it persistent in a TemplateBaed VM:

github.com

Whonix/qubes-whonix/blob/master/usr/lib/qubes-bind-dirs.d/40_qubes-whonix.conf

## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## Tor state files such as Tor consensus.
## Required for persistent Tor Entry Guards. See also:
## https://www.whonix.org/wiki/Tor_Entry_Guards
binds+=( '/var/lib/tor' )

## legacy-dist status files
## https://github.com/Whonix/legacy-dist
## https://github.com/Whonix/legacy-dist/blob/master/debian/legacy-dist.preinst
## https://github.com/Whonix/legacy-dist/blob/master/usr/libexec/legacy-dist/fixes
binds+=( '/var/lib/whonix' )

## Time Replay Protection
## /var/lib/sdwdate/time-replay-protection-utc-unixtime
## https://www.whonix.org/wiki/Sdwdate#sdwdate_Time_Replay_Protection
binds+=( '/var/lib/sdwdate' )

## lastrun and canary result status files

This file has been truncated. show original

troubadour · January 3, 2018, 8:11pm

Thanks. Still have to catch up.

Strange. If everything is persistent, it should work after installing the last patch to whonixcheck apparmor profile.

troubadour · January 3, 2018, 9:09pm

About integration, done with whonix-repository-wizard in whonix-repository package.

Patrick · January 5, 2018, 4:01am

Because it’s part of bind-dirs.

How to make any file persistent (bind-dirs) | Qubes OS

/etc/tor/torrc.d should not be directly part of bind-dirs. The full plan is here:

[graphical gui] Whonix Setup Wizard / Anon Connection Wizard - Technical Discussion - #388 by Patrick

Patrick · January 7, 2018, 2:13pm

Let’s keep the package https://github.com/Whonix/whonix-setup-wizard for future use:

Whonix Greeter ⚓ T72 Whonix Greeter which would be required for
Internationalization Support ⚓ T79 Internationalization Support and maybe even
Whonix Control Panel ⚓ T89 Whonix Control Panel

iry · January 8, 2018, 4:19am

May I start to remove the disclaimer from whonix-setup-wizard now?

Patrick · January 8, 2018, 4:40am

iry:

Patrick:

disclaimer can be abolished by next year. So all that will be left will be Whonix Repository GUI Tool and anon-connection-wizard.

May I start to remove the disclaimer from whonix-setup-wizard now?

Yes.

iry · January 8, 2018, 5:54am

Done, along with many other changes:

https://github.com/Whonix/whonix-setup-wizard/pull/3

Patrick · January 8, 2018, 2:09pm

Cold you please also remove the now unused messages such as no_torrc since these were moved to anon-connection-wizard?

Patrick · January 8, 2018, 2:38pm

Could you review and test please? @iry

Since whonix-repository-wizard gets merged into whonix-repository package, could you please also remove whonix-repository-wizard from whonix-setup-wizard?

qubes-whonix /usr/lib/qubes-whonix/qubes-whonixsetup still using whonix-setup-wizard quick
(qubes-whonix/qubes-whonixsetup at master · Whonix/qubes-whonix · GitHub)